CN106656499A - Terminal equipment dependable authentication method and system in digital copyright protection system - Google Patents
Terminal equipment dependable authentication method and system in digital copyright protection system Download PDFInfo
- Publication number
- CN106656499A CN106656499A CN201510412791.3A CN201510412791A CN106656499A CN 106656499 A CN106656499 A CN 106656499A CN 201510412791 A CN201510412791 A CN 201510412791A CN 106656499 A CN106656499 A CN 106656499A
- Authority
- CN
- China
- Prior art keywords
- authentication
- equipment
- data block
- management
- equipment identities
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a terminal equipment dependable authentication method and system in a digital copyright protection system, and relates to the field of information safety. The system comprises an equipment certification authorization management system, an equipment registration management system, an equipment identity management and dependable authentication system and an equipment identity authentication management system. The equipment certification authorization management system comprises an equipment authorization manager and an equipment authentication manager. The equipment registration management system is formed by an equipment registration manager. The equipment identity management and dependable authentication system comprises an equipment identity authorization manager and an equipment dependable authentication manager. The equipment identity authentication management system comprises an identity registration manager and an identity authentication manager. The terminal equipment dependable authentication system provided by the invention comprehensively utilizes an asymmetric cryptography technology and a dependable authentication technology, realizes unified management of legality authorization and identity dependable verification of terminal equipment, and builds a safe and dependable terminal equipment environment for copyright protection of digital content.
Description
Technical field
The present invention relates to terminal unit authentic authentication method and its system in information security field, particularly digital copyright protection system.
Background technology
Terminal unit in digital copyright protection system is the display device of digital content, and it is responsible for controlling the legal of digital content of user side and uses, and prevents the bootlegging of digital content, it is ensured that user can only use digital content according to the usage right authorized.So, terminal unit is the key component of digital copyright protection technology successful implementation, and the equipment validity and identity credibility of its own are the important foundations of digital copyright protection system.
In digital copyright protection system, the equipment validity of terminal unit shows as the legal authorization through digital copyright protection system, and the identity credibility of terminal unit shows as the legitimate device that equipment is the validated user through certification.So, the characteristics of the authentic authentication of the terminal unit in digital copyright protection system has multi-level certification.
In existing digital copyright protection system, the authentic authentication of terminal unit is mainly adopted based on PKI(Public Key Infrastructure)The authentication mode of technology ensures the legitimacy of terminal unit.And developing rapidly due to digital technology; this single equipment authentic authentication method can not meet the digital copyright protecting demand of the various digital content of present kind and application; so; integrated use authentic authentication technology is needed, the credible authentic authentication of the equipment validity and identity of unified terminal unit and management is realized.
The content of the invention
For above-mentioned problems of the prior art, it is an object of the invention to provide terminal unit authentic authentication method and its system in a kind of digital copyright protection system.Its integrated use asymmetric cryptographic technique and authentic authentication technology, realize the legitimacy mandate of terminal unit and the unified management of identity trust authentication, are that the copyright protection of digital content builds a safe and reliable terminal unit environment.
In order to realize foregoing invention purpose, technical scheme is realized as follows:
Terminal unit authentic authentication method in a kind of digital copyright protection system, the terminal unit authentic authentication system that the equipment identities management that facility registration management system that it is used using the device authentication authentication management system, terminal unit production firm that are used by third party device certification authority, digital copyright protection system operating service end system are used is constituted with the equipment identities authentication administrative system that authentic authentication system and digital copyright protection system terminal unit end system are used.Device authentication authentication management system is made up of device authorization manager and device authentication manager.Facility registration management system is made up of facility registration manager.Equipment identities management is made up of with authentic authentication system equipment identities Authorization Manager and equipment authentic authentication manager.Equipment identities authentication administrative system is made up of identity registration manager and authentication manager.Its main implementation steps is:
1
)Facility information is registered and authorisation process:
1. the facility registration manager in facility registration management system obtains apparatus characteristic information from terminal unit, facility information application for registration data block is generated, the digital signature of the facility information application for registration data block signed comprising apparatus characteristic information, equipment public key and using device private in facility information application for registration data block.
2. facility information application for registration data block is delivered to device authentication authentication management system by the secure network tunnel between facility registration management system and device authentication authentication management system.
3. the device authorization manager in device authentication authentication management system confirms the legitimacy and integrity of facility information application for registration data block using the digital signature of the equipment public key verifications facility information application for registration data block in facility information application for registration data block;Such as pass through digital signature authentication, then generate equipment unique mark DevID and encryption key Kd one-to-one with DevID, and the apparatus characteristic information in facility information application for registration data block is encrypted using encryption key Kd and symmetric encipherment algorithm, obtain apparatus characteristic information ciphertext.Equipment unique mark DevID and encryption key Kd are stored in device authentication authentication management system;
4. the device authorization manager in device authentication authentication management system generates the device certificate of terminal unit, digital signature of the device certificate comprising equipment unique mark DevID, equipment public key, apparatus characteristic information ciphertext, authoring system public key and the device certificate using authoring system private key signature.
5. the device certificate of terminal unit will be delivered to terminal unit by the secure network tunnel between facility registration management system and device authentication authentication management system, and store on the terminal device.
2
)Equipment identity register and authorisation process:
1. the identity registration manager of equipment identities authentication administrative system obtains subscriber identity information, apparatus characteristic information and the device certificate of equipment from digital copyright protection system terminal unit end system; using the digital signature of the authoring system public key verifications device certificate in device certificate, the legitimacy and integrity of device certificate are confirmed;Such as pass through digital signature authentication, generate the digital signature that subscriber identity information, apparatus characteristic information, device certificate and the equipment identity register request for data block signed using device private are included in equipment identity register request for data block, equipment identity register request for data block.
2. equipment identity register request for data block is managed by equipment identities authentication administrative system and equipment identities and the secure network tunnel between authentic authentication system is delivered to equipment identities management and authentic authentication system.
3. the equipment identities Authorization Manager in equipment identities management and authentic authentication system confirms the legitimacy and integrity of equipment identity register request for data block using the digital signature of the equipment public key verifications equipment identity register request for data block in device certificate in equipment identity register request for data block;Such as pass through digital signature authentication; equipment identities Authorization Manager runs the subscriber identity information that end system obtains equipment from digital copyright protection system; compare with the subscriber identity information in equipment identity register request for data block; if data are consistent; generate facility information certification request for data block, digital signature of the facility information certification request for data block comprising the apparatus characteristic information in equipment identity register request for data block, device certificate, operation system public key and the facility information certification request for data block using operation system private key signature.
4. facility information certification request for data block will be delivered to device authentication authentication management system by equipment identities management and the secure network tunnel between authentic authentication system and device authentication authentication management system.
5. the device authentication manager of device authentication authentication management system confirms the legitimacy and integrity of facility information application for registration data block using the digital signature of the operation system public key verifications facility information certification request for data block in facility information certification request for data block;Such as pass through digital signature authentication, process is decrypted to the apparatus characteristic information ciphertext in device certificate using the encryption key Kd corresponding with equipment unique mark DevID in device certificate being stored in device authentication authentication management system, obtain apparatus characteristic information in plain text, apparatus characteristic information is compared in plain text with the apparatus characteristic information in facility information certification request for data block, if data are consistent, generate equipment identity register reply data block, apparatus characteristic information is included in equipment identity register reply data block, the digital signature of device certificate and the equipment identity register reply data block using authoring system private key signature.
6. equipment identity register reply data block will be delivered to equipment identities management management and authentic authentication system by equipment identities management and the secure network tunnel between authentic authentication system and device authentication authentication management system.
7. the equipment identities Authorization Manager in equipment identities management and authentic authentication system confirms the legitimacy and integrity of facility information registration reply data block using the digital signature of the authoring system public key verifications equipment identity register reply data block in equipment identity register reply data block content and device certificate;Such as pass through digital signature authentication, then generate unique equipment identities mark DevUID and encryption key Ku one-to-one with DevUID, and using encryption key Ku and symmetric encipherment algorithm the apparatus characteristic information and subscriber identity information in equipment identity register request for data block is encrypted respectively, obtain apparatus characteristic information ciphertext and subscriber identity information ciphertext.Equipment identities mark DevUID and encryption key Ku is stored in equipment identities management and authentic authentication system;
8. equipment identities management generates equipment identities voucher, digital signature of the equipment identities voucher comprising identity DevUID, device certificate, apparatus characteristic information ciphertext, subscriber identity information ciphertext, operation system public key and the equipment identities voucher using operation system private key signature with the equipment identities Authorization Manager in authentic authentication system.
9. equipment identities voucher is managed by equipment identities and the secure network tunnel between authentic authentication system and equipment identities authentication administrative system is delivered to terminal unit, and is stored on the terminal device.
3
)The authentic authentication of terminal unit is processed:
1. the authentication manager of equipment identities authentication administrative system obtains subscriber identity information, apparatus characteristic information and the equipment identities voucher of equipment from digital copyright protection system terminal unit end system; using the digital signature of the operation system public key verifications equipment identities voucher in equipment identities voucher, the legitimacy and integrity of equipment identities voucher are confirmed;Such as pass through digital signature authentication, generate the digital signature that subscriber identity information, apparatus characteristic information, equipment identities voucher and the equipment identities Service Ticket data block signed using device private are included in equipment identities Service Ticket data block, equipment identities Service Ticket data block.
2. equipment identities Service Ticket data block is managed by equipment identities authentication administrative system and equipment identities and the secure network tunnel between authentic authentication system is delivered to equipment identities management and authentic authentication system.
3. the equipment authentic authentication manager in equipment identities management and authentic authentication system confirms the legitimacy and integrity of equipment identities Service Ticket data block using the digital signature of the equipment public key verifications equipment identities certification request for data block in device certificate in equipment identities Service Ticket data block;Such as pass through digital signature authentication, managed and encryption key Ku corresponding with equipment identities mark DevUID in equipment identities voucher in authentic authentication system using equipment identities are stored in, respectively process is decrypted to the apparatus characteristic information ciphertext and subscriber identity information ciphertext in equipment identities voucher, obtain apparatus characteristic information in plain text with subscriber identity information in plain text, by apparatus characteristic information in plain text and subscriber identity information plaintext respectively with equipment identity information Service Ticket data block in apparatus characteristic information and subscriber identity information compare, if data are consistent, equipment identities are managed and realize the authentic authentication of the equipment identities to terminal unit with authentic authentication system.
In above-mentioned digital copyright protection system in terminal unit authentic authentication method; the digital copyright protection system operating service end system is the ingredient of digital content service operating service end system, realizes that copyrighted digital content protects the management and control at operating service end.The digital copyright protection system terminal unit end system is the ingredient of digital content service terminal unit end system, realizes that copyrighted digital content protects management on the terminal device and control.
In above-mentioned digital copyright protection system in terminal unit authentic authentication method, the authoring system public key and authoring system private key are managed by device authentication authentication management system.The equipment public key and device private are built in the anti-tamper memory block of terminal unit before terminal unit dispatches from the factory by production firm, are corresponded with terminal unit.The operation system public key and operation system private key are by equipment identities management and authentic authentication system management.
In above-mentioned digital copyright protection system in terminal unit authentic authentication method, the apparatus characteristic information be by terminal unit one or more parts it is can read, can unique mark part one group of fixed-length data generating of hardware identification information.The part of the terminal unit includes the key building blocks such as CPU, mainboard, hard disk, network interface card, USB device, CD-ROM drive and SD card.The hardware identification information of part includes serial number of serial number, the serial number of mainboard, the serial number of hard disk, the MAC Address of network interface card, the serial number of USB device, the serial number of CD-ROM drive and SD card of CPU etc..
In above-mentioned digital copyright protection system in terminal unit authentic authentication method; the privacy information that the subscriber identity information refers to customer-furnished security information or obtained by system secret; the security information that user provides refers to the information that only user knows, the privacy information obtained by system secret refers to the security information on user-specific equipment.
In above-mentioned digital copyright protection system in terminal unit authentic authentication method, the secure network tunnel is referred to guarantee data confidentiality, data integrity, source identity checking, the network data channels of anti-multi-sending attack characteristic.
Terminal unit authentic authentication system in a kind of digital copyright protection system, it is structurally characterized in that, it is made up of device authentication authentication management system, facility registration management system, equipment identities management with authentic authentication system and equipment identities authentication administrative system.The device authentication authentication management system is made up of device authorization manager, device authentication manager.The facility registration management system is made up of facility registration manager.The equipment identities management is made up of with authentic authentication system equipment identities Authorization Manager and equipment authentic authentication manager.The equipment identities authentication administrative system is made up of identity registration manager and authentication manager.Device authentication authentication management system is the system used by third party device certification authority, completes the empowerment management and authentication management function of terminal unit.Facility registration management system is the system that terminal unit production firm uses, and completes facility registration empowerment management function of the equipment before dispatching from the factory.Equipment identities management and the system that authentic authentication system is that digital copyright protection system operating service end system is used, complete digital copyright protection system operating service end to the identification authorization management of terminal unit and the authentic authentication management function of the authentication to terminal unit and device authentication.Equipment identities authentication administrative system is the system that digital copyright protection system terminal unit end system is used, and completes identity registration management and the authentication management function of terminal unit.
The present invention is as a result of above-mentioned method and structure; the device authorization to terminal unit in digital copyright protection system and authentication management by third party device certification authority; realize the equipment authentic authentication of terminal unit; the identification authorization to terminal unit and authentication management by digital copyright protection system operating service end system, realize the identity authentic authentication of terminal unit.The present invention provides a kind of terminal unit authentic authentication and management technique for the terminal device validity certification of digital copyright protection system; from the certification of terminal unit itself legitimacy and equipment and two levels of user's legitimate relationship certification; the unified authentic authentication of terminal unit is solved the problems, such as, the empowerment management and broadcasting control for digital content in digital copyright protection system provides reliable technology and ensure.
With reference to the accompanying drawings and detailed description the invention will be further described.
Description of the drawings
Fig. 1 is the principle assumption diagram of present system;
Fig. 2 is facility information registration and authorisation process schematic flow sheet in the inventive method;
Fig. 3-Fig. 5 is equipment identity register and authorisation process schematic flow sheet in the inventive method;
Fig. 6 is the authentic authentication handling process schematic diagram of terminal unit in the inventive method.
Specific embodiment
Referring to Fig. 1, the system for realizing terminal unit authentic authentication method in digital copyright protection system is made up of device authentication authentication management system A, facility registration management system B, equipment identities management with authentic authentication system C and equipment identities authentication administrative system D.
Device authentication authentication management system A is the system that third party device certification authority uses, and it is made up of device authorization manager 1 and device authentication manager 2, completes the empowerment management and authentication management function of terminal unit.Device authentication authentication management system A realizes that the device authorization to terminal unit is managed on the one hand by facility registration information generating device certificate 8, on the other hand, by the checking to device certificate 8, realizes the identification of equipment validity to terminal unit.
Facility registration management system B is the system that terminal unit production firm uses, and it is made up of facility registration manager 3, completes the function that facility registration information of the equipment before dispatching from the factory is generated and registed authorization is managed.
Equipment identities management and the system that authentic authentication system C is that digital copyright protection system operating service end system is used, it is made up of equipment identities Authorization Manager 4 and equipment authentic authentication manager 5.On the one hand it generate equipment identities voucher 9 after the user identification confirmation of identification of equipment validity and equipment, realizes that digital copyright protection system operating service end is managed the identification authorization of terminal unit;On the other hand the checking to equipment identities voucher 9, realizes the authentication to terminal unit and the authentic authentication management of device authentication.
Equipment identities authentication administrative system D is the system that digital copyright protection system terminal unit end system is used, and it is made up of identity registration manager 6 and authentication manager 7, completes identity registration management and the authentication management function of terminal unit.
Referring to Fig. 2 to Fig. 6, it is the step of when the inventive method is used:
1
)Facility information is registered and authorisation process:
1. the facility registration manager 3 in facility registration management system B obtains apparatus characteristic information from terminal unit, facility information application for registration data block is generated, the digital signature of the facility information application for registration data block signed comprising apparatus characteristic information, equipment public key and using device private in facility information application for registration data block.
2. facility information application for registration data block is delivered to device authentication authentication management system A by the secure network tunnel between facility registration management system B and device authentication authentication management system A.
3. the device authorization manager 1 in device authentication authentication management system A confirms the legitimacy and integrity of facility information application for registration data block using the digital signature of the equipment public key verifications facility information application for registration data block in facility information application for registration data block.Such as pass through digital signature authentication, then generate equipment unique mark DevID and encryption key Kd one-to-one with DevID, and the apparatus characteristic information in facility information application for registration data block is encrypted using encryption key Kd and symmetric encipherment algorithm, obtain apparatus characteristic information ciphertext.Equipment unique mark DevID and encryption key Kd are stored in device authentication authentication management system A.
4. the device authorization manager 1 in device authentication authentication management system A generates the device certificate 8 of terminal unit, digital signature of the device certificate 8 comprising equipment unique mark DevID, equipment public key, apparatus characteristic information ciphertext, authoring system public key and the device certificate using authoring system private key signature.
4. the device certificate 8 of terminal unit will be delivered to terminal unit by the secure network tunnel between facility registration management system B and device authentication authentication management system A, and store on the terminal device.
2
)Equipment identity register and authorisation process:
1. the identity registration manager 6 of equipment identities authentication administrative system D obtains subscriber identity information, apparatus characteristic information and the device certificate 8 of equipment from digital copyright protection system terminal unit end system; using the digital signature of the authoring system public key verifications device certificate in device certificate 8, the legitimacy and integrity of device certificate are confirmed.Such as pass through digital signature authentication, generate the digital signature that subscriber identity information, apparatus characteristic information, device certificate 8 and the equipment identity register request for data block signed using device private are included in equipment identity register request for data block, equipment identity register request for data block.
2. equipment identity register request for data block is managed by equipment identities authentication administrative system D and equipment identities and the secure network tunnel between authentic authentication system C is delivered to equipment identities management and authentic authentication system C.
3. the equipment identities Authorization Manager 4 in equipment identities management and authentic authentication system C confirms the legitimacy and integrity of equipment identity register request for data block using the digital signature of the equipment public key verifications equipment identity register request for data block in device certificate 8 in equipment identity register request for data block.Such as pass through digital signature authentication; equipment identities Authorization Manager runs the subscriber identity information that end system obtains equipment from digital copyright protection system; compare with the subscriber identity information in equipment identity register request for data block; if data are consistent; generate facility information certification request for data block, digital signature of the facility information certification request for data block comprising the apparatus characteristic information in equipment identity register request for data block, device certificate 8, operation system public key and the facility information certification request for data block using operation system private key signature.
4. facility information certification request for data block will be delivered to device authentication authentication management system A by equipment identities management and the secure network tunnel between authentic authentication system C and device authentication authentication management system A.
5. the device authentication manager 2 of device authentication authentication management system A confirms the legitimacy and integrity of facility information application for registration data block using the digital signature of the operation system public key verifications facility information certification request for data block in facility information certification request for data block;Such as pass through digital signature authentication, process is decrypted to the apparatus characteristic information ciphertext in device certificate 8 using the encryption key Kd corresponding with equipment unique mark DevID in device certificate being stored in device authentication authentication management system, obtain apparatus characteristic information in plain text, apparatus characteristic information is compared in plain text with the apparatus characteristic information in facility information certification request for data block, if data are consistent, generate equipment identity register reply data block, apparatus characteristic information is included in equipment identity register reply data block, the digital signature of device certificate 8 and the equipment identity register reply data block using authoring system private key signature.
6. equipment identity register reply data block will be delivered to equipment identities management management and authentic authentication system C by equipment identities management and the secure network tunnel between authentic authentication system C and device authentication authentication management system A.
7. the equipment identities Authorization Manager 4 in equipment identities management and authentic authentication system C confirms the legitimacy and integrity of facility information registration reply data block using the digital signature of the authoring system public key verifications equipment identity register reply data block in equipment identity register reply data block content device certificate 8.Such as pass through digital signature authentication, then generate unique equipment identities mark DevUID and encryption key Ku one-to-one with DevUID, and using encryption key Ku and symmetric encipherment algorithm the apparatus characteristic information and subscriber identity information in equipment identity register request for data block is encrypted respectively, obtain apparatus characteristic information ciphertext and subscriber identity information ciphertext.Equipment identities mark DevUID and encryption key Ku is stored in equipment identities management and authentic authentication system C.
8. equipment identities management generates equipment identities voucher 9, digital signature of the equipment identities voucher 9 comprising identity DevUID, device certificate 8, apparatus characteristic information ciphertext, subscriber identity information ciphertext, operation system public key and the equipment identities voucher using operation system private key signature with the equipment identities Authorization Manager 4 in authentic authentication system C.
9. equipment identities voucher 9 is managed by equipment identities and the secure network tunnel between authentic authentication system C and equipment identities authentication administrative system D is delivered to terminal unit, and is stored on the terminal device.
3
)The authentic authentication of terminal unit is processed:
1. the authentication manager 7 of equipment identities authentication administrative system D obtains subscriber identity information, apparatus characteristic information and the equipment identities voucher 9 of equipment from digital copyright protection system terminal unit end system; using the digital signature of the operation system public key verifications equipment identities voucher in equipment identities voucher 9, the legitimacy and integrity of equipment identities voucher are confirmed.Such as pass through digital signature authentication, generate the digital signature that subscriber identity information, apparatus characteristic information, equipment identities voucher and the equipment identities Service Ticket data block signed using device private are included in equipment identities Service Ticket data block, equipment identities Service Ticket data block.
2. equipment identities Service Ticket data block is managed by equipment identities authentication administrative system D and equipment identities and the secure network tunnel between authentic authentication system C is delivered to equipment identities management and authentic authentication system C.
3. the equipment authentic authentication manager 5 in equipment identities management and authentic authentication system C confirms the legitimacy and integrity of equipment identities Service Ticket data block using the digital signature of the equipment public key verifications equipment identities certification request for data block in device certificate 8 in equipment identities Service Ticket data block.Such as pass through digital signature authentication, managed and encryption key Ku corresponding with equipment identities mark DevUID in equipment identities voucher 9 in authentic authentication system C using equipment identities are stored in, respectively process is decrypted to the apparatus characteristic information ciphertext and subscriber identity information ciphertext in equipment identities voucher 9, obtain apparatus characteristic information in plain text with subscriber identity information in plain text, by apparatus characteristic information in plain text and subscriber identity information plaintext respectively with equipment identity information Service Ticket data block in apparatus characteristic information and subscriber identity information compare, if data are consistent, equipment identities are managed and realize the authentic authentication of the equipment identities to terminal unit with authentic authentication system.
Claims (7)
1. terminal unit authentic authentication method in a kind of digital copyright protection system, it uses the device authentication authentication management system used by third party device certification authority(A), the terminal unit authentic authentication that constitutes with the equipment identities authentication administrative system (D) that authentic authentication system (C) and digital copyright protection system terminal unit end system are used of the equipment identities management that uses of the facility registration management system (B) that uses of terminal unit production firm, digital copyright protection system operating service end system and management system;The device authentication authentication management system(A)By device authorization manager(1)With device authentication manager(2)Composition;The facility registration management system (B) is by facility registration manager(3)Composition;The equipment identities management is with authentic authentication system (C) by equipment identities Authorization Manager(4)With equipment authentic authentication manager(5)Composition;The equipment identities authentication administrative system (D) is by identity registration manager(6)With authentication manager(7)Composition;Its main implementation steps is:
1
)Facility information is registered and authorisation process:
1. the facility registration manager in facility registration management system (B)(3)Apparatus characteristic information is obtained from terminal unit, facility information application for registration data block is generated, the digital signature of the facility information application for registration data block signed comprising apparatus characteristic information, equipment public key and using device private in facility information application for registration data block;
2. facility information application for registration data block is by facility registration management system (B) and device authentication authentication management system(A)Between secure network tunnel be delivered to device authentication authentication management system(A);
3. device authentication authentication management system(A)In device authorization manager(1)Using the digital signature of the equipment public key verifications facility information application for registration data block in facility information application for registration data block, the legitimacy and integrity of facility information application for registration data block are confirmed;Such as pass through digital signature authentication, then generate equipment unique mark DevID and encryption key Kd one-to-one with DevID, and the apparatus characteristic information in facility information application for registration data block is encrypted using encryption key Kd and symmetric encipherment algorithm, obtain apparatus characteristic information ciphertext;Equipment unique mark DevID and encryption key Kd are stored in device authentication authentication management system(A)In;
4. device authentication authentication management system(A)In device authorization manager(1)Generate the device certificate of terminal unit(8), device certificate(8)Comprising equipment unique mark DevID, equipment public key, apparatus characteristic information ciphertext, authoring system public key and the device certificate using authoring system private key signature(8)Digital signature;
The device certificate of terminal unit(8)Will be by facility registration management system (B) and device authentication authentication management system(A)Between secure network tunnel be delivered to terminal unit, and store on the terminal device;
2
)Equipment identity register and authorisation process:
1. equipment identities authentication administrative system(D)Identity registration manager(6)Subscriber identity information, apparatus characteristic information and the device certificate of equipment are obtained from digital copyright protection system terminal unit end system(8), using device certificate(8)In authoring system public key verifications device certificate(8)Digital signature, confirm device certificate(8)Legitimacy and integrity;Such as pass through digital signature authentication, generate the digital signature that subscriber identity information, apparatus characteristic information, device certificate and the equipment identity register request for data block signed using device private are included in equipment identity register request for data block, equipment identity register request for data block;
2. equipment identity register request for data block passes through equipment identities authentication administrative system(D)With equipment identities management and authentic authentication system(C)Between secure network tunnel be delivered to equipment identities management and authentic authentication system(C);
3. equipment identities are managed and authentic authentication system(C)In equipment identities Authorization Manager(4)Using device certificate in equipment identity register request for data block(8)In equipment public key verifications equipment identity register request for data block digital signature, confirm equipment identity register request for data block legitimacy and integrity;Such as by digital signature authentication, equipment identities Authorization Manager(4)The subscriber identity information that end system obtains equipment is runed from digital copyright protection system; compare with the subscriber identity information in equipment identity register request for data block; if data are consistent; generate facility information certification request for data block, digital signature of the facility information certification request for data block comprising the apparatus characteristic information in equipment identity register request for data block, device certificate, operation system public key and the facility information certification request for data block using operation system private key signature;
4. facility information certification request for data block will be by equipment identities management and authentic authentication system(C)With device authentication authentication management system(A)Between secure network tunnel be delivered to device authentication authentication management system(A);
5. device authentication authentication management system(A)Device authentication manager(2)Using the digital signature of the operation system public key verifications facility information certification request for data block in facility information certification request for data block, the legitimacy and integrity of facility information application for registration data block are confirmed;Such as by digital signature authentication, using being stored in device authentication authentication management system(A)In and device certificate(8)The corresponding encryption key Kd of middle equipment unique mark DevID is decrypted process to the apparatus characteristic information ciphertext in device certificate, obtain apparatus characteristic information in plain text, apparatus characteristic information is compared in plain text with the apparatus characteristic information in facility information certification request for data block, if data are consistent, generate and include in equipment identity register reply data block, equipment identity register reply data block apparatus characteristic information, device certificate(8)With the digital signature of the equipment identity register reply data block using authoring system private key signature;
6. equipment identity register reply data block will be by equipment identities management and authentic authentication system(C)With device authentication authentication management system(A)Between secure network tunnel be delivered to equipment identities management management and authentic authentication system(C);
7. equipment identities are managed and authentic authentication system(C)In equipment identities Authorization Manager (4) use equipment identity register reply data block content and device certificate(8)In authoring system public key verifications equipment identity register reply data block digital signature, confirm facility information registration reply data block legitimacy and integrity;Such as pass through digital signature authentication, then generate unique equipment identities mark DevUID and encryption key Ku one-to-one with DevUID, and using encryption key Ku and symmetric encipherment algorithm the apparatus characteristic information and subscriber identity information in equipment identity register request for data block is encrypted respectively, obtain apparatus characteristic information ciphertext and subscriber identity information ciphertext;Equipment identities mark DevUID and encryption key Ku is stored in equipment identities management and authentic authentication system(C)In;
8. equipment identities are managed and authentic authentication system(C)In equipment identities Authorization Manager(4)Generate equipment identities voucher(9), equipment identities voucher(9)Digital signature comprising identity DevUID, device certificate, apparatus characteristic information ciphertext, subscriber identity information ciphertext, operation system public key and equipment identities voucher using operation system private key signature;
9. equipment identities voucher(9)By equipment identities management and authentic authentication system(C)With equipment identities authentication administrative system(D)Between secure network tunnel be delivered to terminal unit, and store on the terminal device;
3
)The authentic authentication of terminal unit is processed:
1. equipment identities authentication administrative system(D)Authentication manager(7)Subscriber identity information, apparatus characteristic information and the equipment identities voucher of equipment are obtained from digital copyright protection system terminal unit end system(9), using equipment identities voucher(9)In operation system public key verifications equipment identities voucher(9)Digital signature, confirm equipment identities voucher(9)Legitimacy and integrity;Such as by digital signature authentication, generate and include in equipment identities Service Ticket data block, equipment identities Service Ticket data block subscriber identity information, apparatus characteristic information, equipment identities voucher(9)With the digital signature of the equipment identities Service Ticket data block signed using device private;
2. equipment identities Service Ticket data block passes through equipment identities authentication administrative system(D)With equipment identities management and authentic authentication system(C)Between secure network tunnel be delivered to equipment identities management and authentic authentication system(C);
3. equipment identities are managed and authentic authentication system(C)In equipment authentic authentication manager(5)Using the digital signature of the equipment public key verifications equipment identities certification request for data block in device certificate in equipment identities Service Ticket data block, the legitimacy and integrity of equipment identities Service Ticket data block are confirmed;Such as by digital signature authentication, managed and authentic authentication system using equipment identities are stored in(C)In with equipment identities voucher(9)Middle equipment identities identify the corresponding encryption key Ku of DevUID, respectively to equipment identities voucher(9)In apparatus characteristic information ciphertext and subscriber identity information ciphertext be decrypted process, obtain apparatus characteristic information in plain text with subscriber identity information in plain text, by apparatus characteristic information in plain text and subscriber identity information plaintext respectively with equipment identity information Service Ticket data block in apparatus characteristic information and subscriber identity information compare, if data are consistent, equipment identities are managed and authentic authentication system(C)Realize the authentic authentication of the equipment identities to terminal unit.
2. terminal unit authentic authentication method in digital copyright protection system according to claim 1; it is characterized in that; the digital copyright protection system operating service end system is the ingredient of digital content service operating service end system, realizes that copyrighted digital content protects the management and control at operating service end;The digital copyright protection system terminal unit end system is the ingredient of digital content service terminal unit end system, realizes that copyrighted digital content protects management on the terminal device and control.
3. terminal unit authentic authentication method in digital copyright protection system according to claim 1 and 2, it is characterised in that the authoring system public key and authoring system private key are by device authentication authentication management system(A)Management;The equipment public key and device private are built in the anti-tamper memory block of terminal unit before terminal unit dispatches from the factory by production firm, are corresponded with terminal unit;The operation system public key and operation system private key are by equipment identities management and authentic authentication system(C)Management.
4. terminal unit authentic authentication method in digital copyright protection system according to claim 3, it is characterized in that, the apparatus characteristic information is can read by one or more parts of terminal unit, one group of fixed-length data that the hardware identification information of energy unique mark part is generated, the part of the terminal unit includes CPU, mainboard, hard disk, network interface card, USB device, CD-ROM drive and SD card key building block, the hardware identification information of part includes the serial number of CPU, the serial number of mainboard, the serial number of hard disk, the MAC Address of network interface card, the serial number of USB device, the serial number of CD-ROM drive and the serial number of SD card.
5. terminal unit authentic authentication method in digital copyright protection system according to claim 4; it is characterized in that; the privacy information that the subscriber identity information refers to customer-furnished security information or obtained by system secret; the security information that user provides refers to the information that only user knows, the privacy information obtained by system secret refers to the security information on user-specific equipment.
6. terminal unit authentic authentication method in digital copyright protection system according to claim 5; characterized in that, the secure network tunnel is referred to guarantee data confidentiality, data integrity, source identity checking, the network data channels of anti-multi-sending attack characteristic.
7. terminal unit authentic authentication system in a kind of digital copyright protection system, it is characterised in that it is by device authentication authentication management system(A), facility registration management system(B), equipment identities management and authentic authentication system(C), equipment identities authentication administrative system(D)Composition;The device authentication authentication management system(A)By device authorization manager(1)With device authentication manager(2)Composition;The facility registration management system(B)By facility registration manager(3)Composition;The equipment identities management and authentic authentication system(C)By equipment identities Authorization Manager(4)With equipment authentic authentication manager(5)Composition;The equipment identities authentication administrative system(D)By identity registration manager(6)With authentication manager(7)Composition;Device authentication authentication management system(A)It is the system used by third party device certification authority, completes the empowerment management and authentication management function of terminal unit;Facility registration management system(B)It is system that terminal unit production firm uses, completes facility registration empowerment management function of the equipment before dispatching from the factory;Equipment identities are managed and authentic authentication system(C)System that digital copyright protection system operating service end system is used, complete digital copyright protection system operating service end the identification authorization of terminal unit is managed and the authentication to terminal unit and device authentication authentic authentication management function;Equipment identities authentication administrative system(D)It is system that digital copyright protection system terminal unit end system is used, completes identity registration management and the authentication management function of terminal unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510412791.3A CN106656499B (en) | 2015-07-15 | 2015-07-15 | Terminal equipment credibility authentication method in digital copyright protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510412791.3A CN106656499B (en) | 2015-07-15 | 2015-07-15 | Terminal equipment credibility authentication method in digital copyright protection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106656499A true CN106656499A (en) | 2017-05-10 |
| CN106656499B CN106656499B (en) | 2023-05-05 |
Family
ID=58815007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510412791.3A Active CN106656499B (en) | 2015-07-15 | 2015-07-15 | Terminal equipment credibility authentication method in digital copyright protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106656499B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110417776A (en) * | 2019-07-29 | 2019-11-05 | 大唐高鸿信安(浙江)信息科技有限公司 | A kind of identity identifying method and device |
| CN110677376A (en) * | 2018-07-03 | 2020-01-10 | 中国电信股份有限公司 | Authentication method, related device and system and computer readable storage medium |
| CN112637128A (en) * | 2020-11-25 | 2021-04-09 | 四川新网银行股份有限公司 | Identity mutual trust method and system for data center host |
| CN112765588A (en) * | 2021-01-21 | 2021-05-07 | 网易宝有限公司 | Identity recognition method and device, electronic equipment and storage medium |
| CN114040401A (en) * | 2021-11-08 | 2022-02-11 | 中国联合网络通信集团有限公司 | Terminal authentication method and system |
| CN112765588B (en) * | 2021-01-21 | 2024-05-10 | 网易宝有限公司 | Identity recognition method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101770794A (en) * | 2008-12-26 | 2010-07-07 | 同方股份有限公司 | Digital copyright protection method and management device thereof for digital video disc system |
| CN101969446A (en) * | 2010-11-02 | 2011-02-09 | 北京交通大学 | Mobile commerce identity authentication method |
| CN102694780A (en) * | 2011-03-25 | 2012-09-26 | 同方股份有限公司 | Digital signature authentication method, payment method containing the same and payment system |
| CN103581200A (en) * | 2013-11-15 | 2014-02-12 | 中国科学院信息工程研究所 | Method and system for achieving fast circulation of structural file among multiple levels of safety domains |
| EP2765752A1 (en) * | 2013-02-07 | 2014-08-13 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Method for equipping a mobile terminal with an authentication certificate |
-
2015
- 2015-07-15 CN CN201510412791.3A patent/CN106656499B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101770794A (en) * | 2008-12-26 | 2010-07-07 | 同方股份有限公司 | Digital copyright protection method and management device thereof for digital video disc system |
| CN101969446A (en) * | 2010-11-02 | 2011-02-09 | 北京交通大学 | Mobile commerce identity authentication method |
| CN102694780A (en) * | 2011-03-25 | 2012-09-26 | 同方股份有限公司 | Digital signature authentication method, payment method containing the same and payment system |
| EP2765752A1 (en) * | 2013-02-07 | 2014-08-13 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Method for equipping a mobile terminal with an authentication certificate |
| CN103581200A (en) * | 2013-11-15 | 2014-02-12 | 中国科学院信息工程研究所 | Method and system for achieving fast circulation of structural file among multiple levels of safety domains |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110677376A (en) * | 2018-07-03 | 2020-01-10 | 中国电信股份有限公司 | Authentication method, related device and system and computer readable storage medium |
| CN110677376B (en) * | 2018-07-03 | 2022-03-22 | 中国电信股份有限公司 | Authentication method, related device and system and computer readable storage medium |
| CN110417776A (en) * | 2019-07-29 | 2019-11-05 | 大唐高鸿信安(浙江)信息科技有限公司 | A kind of identity identifying method and device |
| CN110417776B (en) * | 2019-07-29 | 2022-03-25 | 大唐高鸿信安(浙江)信息科技有限公司 | Identity authentication method and device |
| CN112637128A (en) * | 2020-11-25 | 2021-04-09 | 四川新网银行股份有限公司 | Identity mutual trust method and system for data center host |
| CN112637128B (en) * | 2020-11-25 | 2022-07-08 | 四川新网银行股份有限公司 | Identity mutual trust method and system for data center host |
| CN112765588A (en) * | 2021-01-21 | 2021-05-07 | 网易宝有限公司 | Identity recognition method and device, electronic equipment and storage medium |
| CN112765588B (en) * | 2021-01-21 | 2024-05-10 | 网易宝有限公司 | Identity recognition method and device, electronic equipment and storage medium |
| CN114040401A (en) * | 2021-11-08 | 2022-02-11 | 中国联合网络通信集团有限公司 | Terminal authentication method and system |
| CN114040401B (en) * | 2021-11-08 | 2024-04-12 | 中国联合网络通信集团有限公司 | Terminal authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106656499B (en) | 2023-05-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107810617B (en) | Secret authentication and provisioning | |
| JP4879176B2 (en) | System and method for implementing a digital signature using a one-time private key | |
| US20240073003A1 (en) | Method of data transfer, a method of controlling use of data and cryptographic device | |
| CN101212293B (en) | Identity authentication method and system | |
| CN1961523B (en) | Token provision | |
| WO2018076365A1 (en) | Key negotiation method and device | |
| ES2554491T3 (en) | Devices and method of applying a computer policy | |
| CN101145906B (en) | Method and system for authenticating legality of receiving terminal in unidirectional network | |
| CN101828357B (en) | Credential provisioning method and device | |
| US9054880B2 (en) | Information processing device, controller, key issuing authority, method for judging revocation list validity, and key issuing method | |
| CN105141425B (en) | A kind of mutual authentication method for protecting identity based on chaotic maps | |
| US20080010242A1 (en) | Device authentication method using broadcast encryption (BE) | |
| JPH06223041A (en) | Rarge-area environment user certification system | |
| CN1934821A (en) | Authentication between device and portable storage | |
| CN101465728A (en) | Method, system and device for distributing cipher key | |
| CN111934884B (en) | Certificate management method and device | |
| CN101610150A (en) | Third party's digital signature method and data transmission system | |
| CN104135368A (en) | A method for protecting data of an electronic chart | |
| CN106656499A (en) | Terminal equipment dependable authentication method and system in digital copyright protection system | |
| KR20130052903A (en) | System and method for certificating security smart grid devices | |
| TW201032561A (en) | Method, apparatus and system for employing a content protection system | |
| JP4840575B2 (en) | Terminal device, certificate issuing device, certificate issuing system, certificate acquisition method and certificate issuing method | |
| CN100465979C (en) | CPK based digital copyright authentication protection system and method | |
| WO2017008556A1 (en) | Authentication method and device for wireless access point and management platform | |
| KR100970552B1 (en) | Method for generating secure key using certificateless public key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |